--- /dev/null
+.. _auth_indicator:
+
+Authentication indicators
+=========================
+
+As of release 1.14, the KDC can be configured to annotate tickets if
+the client authenticated using a stronger preauthentication mechanism
+such as :ref:`PKINIT <pkinit>` or :ref:`OTP <otp_preauth>`. These
+annotations are called "authentication indicators." Service
+principals can be configured to require particular authentication
+indicators in order to authenticate to that service. An
+authentication indicator value can be any string chosen by the KDC
+administrator; there are no pre-set values.
+
+To use authentication indicators with PKINIT or OTP, first configure
+the KDC to include an indicator when that preauthentication mechanism
+is used. For PKINIT, use the **pkinit_indicator** variable in
+:ref:`kdc.conf(5)`. For OTP, use the **indicator** variable in the
+token type definition.
+
+To require an indicator to be present in order to authenticate to a
+service principal, set the **require_auth** string attribute on the
+principal to the indicator value to be required. If you wish to allow
+one of several indicators to be accepted, you can specify multiple
+indicator values separated by spaces.
+
+For example, a realm could be configured to set the authentication
+indicator value "strong" when PKINIT is used to authenticate, using a
+setting in the :ref:`kdc_realms` subsection::
+
+ pkinit_indicator = strong
+
+A service principal could be configured to require the "strong"
+authentication indicator value::
+
+ $ kadmin setstr host/high.value.server require_auth strong
+ Password for user/admin@KRBTEST.COM:
+
+A user who authenticates with PKINIT would be able to obtain a ticket
+for the service principal::
+
+ $ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user
+ $ kvno host/high.value.server
+ host/high.value.server@KRBTEST.COM: kvno = 1
+
+but a user who authenticates with a password would not::
+
+ $ kinit user
+ Password for user@KRBTEST.COM:
+ $ kvno host/high.value.server
+ kvno: KDC policy rejects request while getting credentials for
+ host/high.value.server@KRBTEST.COM
passed to the RADIUS server. Otherwise, the realm will be
included. The default value is ``true``.
+**indicator**
+ This tag specifies an authentication indicator to be included in
+ the ticket if this token type is used to authenticate. This
+ option may be specified multiple times. (New in release 1.14.)
+
In the following example, requests are sent to a remote server via UDP::
[otp]
Specifies the location of the KDC's X.509 identity information.
This option is required if pkinit is to be supported by the KDC.
+**pkinit_indicator**
+ Specifies an authentication indicator to include in the ticket if
+ pkinit is used to authenticate. This option may be specified
+ multiple times. (New in release 1.14.)
+
**pkinit_kdc_ocsp**
Specifies the location of the KDC's OCSP.
KRB5_AS_REP.rst
KRB5_AS_REQ.rst
KRB5_AUTHDATA_AND_OR.rst
+ KRB5_AUTHDATA_AUTH_INDICATOR.rst
+ KRB5_AUTHDATA_CAMMAC.rst
KRB5_AUTHDATA_ETYPE_NEGOTIATION.rst
KRB5_AUTHDATA_FX_ARMOR.rst
KRB5_AUTHDATA_IF_RELEVANT.rst
KRB5_KEYUSAGE_AS_REP_ENCPART.rst
KRB5_KEYUSAGE_AS_REQ.rst
KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.rst
+ KRB5_KEYUSAGE_CAMMAC.rst
KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.rst
KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.rst
KRB5_KEYUSAGE_FAST_ENC.rst
to get additional information about the current request, including the
maximum allowable clock skew, the client's long-term keys, the
DER-encoded request body, the FAST armor key, string attributes on the
-client's database entry, and the client's database entry itself.
+client's database entry, and the client's database entry itself. The
+**verify** method can assert one or more authentication indicators to
+be included in the issued ticket using the ``add_auth_indicator``
+callback (new in release 1.14).
The **edata** and **verify** methods can be implemented
asynchronously. Because of this, they do not return values directly
projects / thirdparty / krb5.git / commitdiff
